Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25/01/2024, 21:34

General

  • Target

    7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe

  • Size

    196KB

  • MD5

    f1808d127abeb2b08d82a2c7c876704a

  • SHA1

    a5700b817afc5f3225beccd0806233fee20e8e2c

  • SHA256

    7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55

  • SHA512

    69550c93dbf33b663168c60475f808aefda15e4bd150b49bdeaf2915e7836714a1c506d21740fe744ed4311806c5d36843c3b3b7832a9301c6ebc116a7b8488a

  • SSDEEP

    6144:rBs27MMLyX5HXXXDTXXXOGqIII+pXXX5AYjKXXXDoXXXG6XXXxXXXLIIIEAkOCOa:rK20HXXX/XXXFqIIIcXXX5j2XXXcXXX3

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe
    "C:\Users\Admin\AppData\Local\Temp\7cea1767baeaf202fd525460218ce036a08405a49b3d0a20d5211d22d0272e55.exe"
    1⤵
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\7CEA17~1.EXE > nul
      2⤵
      • Deletes itself
      PID:2932
  • C:\Windows\Debug\rwmhost.exe
    C:\Windows\Debug\rwmhost.exe
    1⤵
    • Executes dropped EXE
    • Checks processor information in registry
    PID:1968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\debug\rwmhost.exe

    Filesize

    196KB

    MD5

    0b3e6df53d8ebc5ac9683922eb275761

    SHA1

    f4744a48b879ce7e989ef74eedd537e27029a4f8

    SHA256

    760b71f5ec84d2d7ad7eceaecc039ec2af7859f3b88de58e41ab595f919999ef

    SHA512

    c921a16a1b620e7a61b3a480fe2e3e79f77539698f79d36febd74ce6e88b9e244f7beb13cd6d54241596d8860e8977805503744e441f0ab02f5333105e7f14c6